This invention relates to the field of image processing. More specifically, this invention relates to intentionally distorting the machine representation of biometrics and then using the distorted biometrics in secure and privacy-preserving transaction processing.
A biometric is a physical or behavioral characteristics of a person that can be used to determine or authenticate a person""s identity. Biometrics such as fingerprint impressions have been used in law enforcement agencies for decades to identify criminals. More recently other biometrics such as face, iris and signature are starting to be used to identify persons in many types of transactions, such as check cashing and ATM use. An automated biometrics identification system analyzes a biometrics signal using pattern recognition techniques and arrives at a decision whether the query biometrics signal is already present in the database. An authentication system tests whether the query biometrics is equal, or similar, to the stored biometrics associated with the claimed identity. A generic automated biometrics system has three stages: (i) signal acquisition; (ii) signal representation and (iii) pattern matching.
Authentication of a person is a fundamental task in many day to day activities. Several well established processes such as possession of driver""s license, passwords, ATM cards, PINs and combinations thereof are used depending on the level of security needed by the application. Transaction oriented systems such as bank ATMs, point-of-sale terminals in retail stores require authentication tools for every transaction session. In a typical transaction, the client computer (ATM machine, cash register) transmits the account details of the customer as read from his card and the transaction details as entered by the clerk (or customer) to an authorization server. The authorization server checks the validity of the account, the account balance, and credit limit then approves or rejects the transaction. Approved credit card transactions result in payment from the credit card banking agencies to the store; approved ATM withdrawal transactions result in delivering cash. Except for the use of PINs (in ATMs and for debit cards) or a signature on the credit card authorization slip in a store, there is very little done to authenticate the user. Biometrics can play a significant role in such scenarios. For transactions such as the self-serve purchase of gasoline, simply the possession of a credit card is often enough. There is no attempt to determine that the card is used by the rightful owner.
One of the impediments in advancing the use of biometric authentication in commercial transaction systems is the public""s perception of invasion of privacy. Beyond private information such as name, date of birth and other parametric data like that, the user is asked to give images of their body parts, such as fingers, faces and iris. These images, or other biometrics signals, will be stored in digital form in databases in many cases. With this digital technology, it may be very easy to copy biometrics signals and use the data for other purposes. For example, hackers could snoop on communication channels and intercept biometrics signals and reuse them without the knowledge of the proper owner of the biometrics. Another concern is the possible sharing of databases of biometrics signals with law enforcement agencies, or sharing of these databases among commercial organizations. The latter, of course, is a concern for any data gathered about customers. These privacy concerns can be summarized as follows:
1. Much data about customers and customer behavior is stored. The public is concerned about every bit of additional information that is known about them.
2. The public is, in general, suspicious of central storage of information that is associated with individuals. This type of data ranges from medical records to biometrics. These databases can be used and misused for all sorts of purposes, and the databases can be shared among organizations.
3. The public is, rightfully or wrongfully so, worried about giving out biometrics because these could be used for matching against databases used by law enforcement agencies. They could be, for example, be matched against the FBI or INS fingerprint databases to obtain criminal records. Hence, the transmission and storage of biometrics coupled with other personal parametric data is a concern. The potential use of these biometrics for searching other databases is a further concern.
Many of these concerns are aggravated by the fact that a biometrics cannot be changed. One of the properties that make biometrics so attractive for authentication purposes, their invariance over time, is also one of the liabilities of biometrics. When a credit card number is somehow compromised, the issuing bank can assign the customer a new credit card number. In general, when using artificial means, such an authentication problem can be easily fixed by canceling the compromised token and reissuing a new token to the user. When a biometrics is compromised, however, the user has very few options. In the case of fingerprints, the user has nine other options (his other fingers), but in the case of face or iris, the alternatives are quickly exhausted or nonexistent.
A further inconvenience of biometrics is that the same biometrics may be used for several, unrelated applications. That is, the user may enroll for several different services using the same biometrics: for building access, for computer login, for ATM use and so on. If the biometrics is compromised in one application, the biometrics is essentially compromised for all of them and somehow would need to be changed.
Several items of prior art propose methods for revoking keys and other authentication tokens. Because the keys and certificates are machine generated, they are easy to revoke conceptually.
A prior art image morphing technique that create intermediate images to be viewed serially to make an source object metamorphose into a different object is disclosed in.
Stanley E. Sclaroff and Alex Pentland,
xe2x80x9cFinite-element method for image alignment and morphingxe2x80x9d,
U.S. Pat. No. 5,590,261, December 1996.
This reference is incorporated herein by reference in its entirety.
U.S. Pat. No. 5,590,261 to Sclaroff and Pentland describes a finite element-based method to determine the intermediate images based on motion modes of embedded nodal points in the source and the target image. Embedded nodal points that correspond to feature points in the images are represented by a generalized feature vector. Correspondence of feature points in the source and target image are determined by closeness of points in the feature vector space. This a technique is applied to the field of video production not biometrics, and focuses on a correspondence assignment technique that reduces the degree to which human intervention is required in morphing. Furthermore, for this technique to be applicable the source and the target images must be known.
The following references are incorporated by reference in their entirety:
Silvio Micali, xe2x80x9cCertificate revocation systemxe2x80x9d, U.S. Pat. No. 5,793,868, August 1998.
Silvio Micali, xe2x80x9cCertificate revocation systemxe2x80x9d, U.S. Pat. No. 5,666,416, September, 1997.
Silvio Micali, xe2x80x9cWitness-based certificate revocation systemxe2x80x9d, U.S. Pat. No. 5,717,758, February 1998.
U.S. Pat. No. 5,793,868 to S. Micali discloses certificate management involving a certification authority (CA). Often when the key in a public key infrastructure has been compromised, or the user is no longer a client of a particular CA, the certificate has to be revoked. The CA periodically issues a certificate revocation list (CRL) which is very long and needs to be broadcast to all. The disclosure proposes to generate a hash of at least a part of the certificate. Minimal data identifying the certificate is added to the CRL if the data items are shared by two or more revoked certificates. The proposed method thus optimizes the size of the CRL hence lessening transmission time. U.S. Pat. No. 5,793,868 deals with machine generated certificates, not signals of body parts. Furthermore, it is concerned with making the revocation process more efficient rather than with making it possible at all.
U.S. Pat. No. 5,666,416 to S. Micali deals with public key management without explicitly providing any list of revoked certificates. A user can receive an individual piece of information about any public key certificate. Methods are described to provide positive information about the validity status of each not-yet expired certificate. In the proposed method, the CA will provide certificate validity information without requiring a trusted directory. In addition, it also describes schemes to prove that a certificate was never issued or even existed in a CA. The techniques described here are only applicable to machine generated keys that are easily canceled, not to biometrics.
U.S. Pat. No. 5,717,758 to S. Micali further deals with a public key infrastructure. In the proposed scheme, an intermediary provides certificate information by receiving authenticated certificate information, then processing a portion of the authenticated information to obtain the deduced information. If the deduced information is consistent with the authentication information, a witness constructs the deduced information and authenticates the deduced information. The main novelty of the disclosure is that it avoids transmission of long certificate revocation fist (CRL) to all users and handling of non-standard CRL is left to the intermediary. The method addresses issues relevant to machine generated keys and their management, but not to biometrics signals. And, again, the focus is on the privacy of certificates and the efficiency of revocation, not on making revocation possible in the first place.
The following reference is incorporated by reference in its entirety:
R. J. Perlman and C. W. Kaufman,
xe2x80x9cMethod of issuance and revocation of certificate of authenticity used in public key networks and other systemsxe2x80x9d, U.S. Pat. No. 5,261,002, November 1993.
U.S. Pat. No. 5,261,002 to Perlman and Kaufman describes a technique to issue and revoke user certificates containing no expiration dates. The lack of expiration dates minimizes overhead associated with routine renewals. The proposed method issues a signed list of invalid certificates (referred to as a blacklist) containing a blacklist start date, a blacklist expiration date, and an entry for each user whose certificate was issued after the black fist start date but is invalid now. The method describes revocation and issuance of machine generated certificates but does not address the special properties of biometrics.
Standard cryptographic methods and biometric images or signals are combined in the following reference (incorporated by reference in its entirety):
G. V. Piosenka and R. V. Chandos,
xe2x80x9cUnforgeable personal identification systemxe2x80x9d,
U.S. Pat. No. 4,993,068, February 1991. (Piosenka)
U.S. Pat. No. 4,993,068 to Piosenka and Chandos deals with combining standard cryptographic methods and biometric images or signals. The proposed scheme encrypts a set of physically immutable identification credentials (e.g., biometrics) of a user and stores them on a portable memory device. It uses modern public key or one-way cryptographic techniques to make the set of credentials unforgeable. These credentials are stored in a credit-card sized portable memory device for privacy. At a remote site, the user presents the physical biometrics (i.e. himself or his body parts) and the portable memory card for comparison by a server. This technique, though useful, is susceptible to standard attacks on the encryption scheme and can potentially expose the biometrics if the encryption is broken. Furthermore, after decryption the true biometrics signals are available to the server for possible comparison with other databases thus lessening personal privacy.
The following reference is incorporated by reference in its entirety:
D. Naccache and P. Fremanteau,
xe2x80x9cUnforgeable identification device, identification device reader and method of identificationxe2x80x9d,
U.S. Pat. No. 5,434,917, July 1995.
U.S. Pat. No. 5,434,917 to Naccache and Fremanteau deals with designing an unforgeable memory card at an affordable price without the need to have a processor on the card. The plastic support of the card is manufactured with randomly distributed ferrite particles. This unique distribution of particles is combined with standard user identification information to create a secure digital signature. The digital signature along with the owner ID is then stored on the card (by use of a magnetic strip or similar means). The reader authenticates the user by reading the ID and also sensing the ferrite particle distribution. It then checks that the stored digital signature is the same signature as would be formed by combining the given ID and the observed particle distribution. The unforgeable part of the technique is related to the random distribution of ferrite particles in the plastic substrate during the fabrication process. The identification details of the owner are not related to biometrics.
A software system called xe2x80x9cStirmarkxe2x80x9d to evaluate robustness of data hiding techniques is described in:
A. P. Petitcolas and R. J. Anderson, xe2x80x9cEvaluation of copyright marking systemsxe2x80x9d,
Proc. IEEE Multimedia Systems 99, Vol. 1, pp. 574-579, pp. 7-11, June 1999.
The system Stirmark of this reference applies minor, unnoticeable geometric distortions in terms of slight stretches, shears, shifts, bends, and rotations. Stirmark also introduces high frequency displacements, a modulated low frequency deviation, and smoothly distributed error into samples for testing data hiding techniques. This disclosure is concerned with testing if a watermark hidden in the signal can be recovered even after these unnoticeable distortions. This system does not intentionally distort a signal in order to enhance privacy or to allow for revocation of authorization.
This reference is herein incorporated by reference in its entirety.
An object of this invention is an improved system and method for using biometrics.
An object of this invention is an improved system and method of using a biometric with increased security.
An object of this invention is an improved system and method of using a biometric that is cancelable.
An object of this invention is an improved system and method of using a biometric with improved privacy.
For many applications, user authentication is an important and essential component. Automated biometrics can provide accurate and non-repudiable authentication methods. In the digital world the same advantage comes with several serious disadvantages. The digital representation of a biometrics signal can be used for many applications unbeknownst to the owner. Secondly, the signal can be easily transmitted to law enforcement agencies thus violating the users"" privacy. We describe methods to overcome these problems employing signal scrambling and morphing techniques to intentionally distort the original biometrics signal so that no two installations share the same resulting signal.